Defense in Depth

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-drudgery-of-cybercrime/) Why does the press persist on referring to all cyber breaches as sophisticated attacks? Is it to make the victim look less weak, or do they simply not know the tedium that's involved in cybercrime? Check out this post by Brian Krebs for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Steve Zalewski, deputy CISO, Levi Strauss. Thanks to this week's podcast sponsor, IronNet Cybersecurity. To combat sophisticated cyber threats, companies are increasingly adopting collective defense strategies to actively share intelligence with peer organizations to improve the detection capabilities of the collective. Through faster sharing of behavioral analytics, signature-based, and human threat insights, organizations can more effectively spot malicious activity and reduce attacker dwell time. More on IronNet Cybersecurity. On this episode of Defense in Depth, you’ll learn: There's a dichotomy between how the press glorifies cybercrime as being "sophisticated" when the reality is much of cybercrime is drudgery. Most cybercrime is under a pay-for-hire or a web-based service model. Cybercriminals have to deal with many of the same business-related issues we all do, such as support, infrastructure, customer relations, and sales. Given that the cybercriminals are usually doing work for someone else, they have customers and those customers will often complain if they are not getting the expected service. There was question if cybercrime does pay. It seemed that if you had some basic technical talents then legitimate InfoSec was a far more lucrative field that would probably offer benefits that cybercrime couldn't offer. The paper states that low-skilled administrators often don't know much about the systems they maintain. This would lead one to believe they're also far removed from the criminal activity. Many of these claims of the boredom of cybercrime can be made of the InfoSec community as well. Once you understand that cybercrime is a business with a need for ROI like any other business, the goal in protecting oneself is to simply make it too costly and not financially attractive to be hacked.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-security-budgets/) How do you calculate a security budget? Is it a percentage of the IT budget? Something else? And why does it grow so drastically after a breach? Thanks to this week's podcast sponsor, IronNet Cybersecurity. To combat sophisticated cyber threats, companies are increasingly adopting collective defense strategies to actively share intelligence with peer organizations to improve the detection capabilities of the collective. Through faster sharing of behavioral analytics, signature-based, and human threat insights, organizations can more effectively spot malicious activity and reduce attacker dwell time. More on IronNet Cybersecurity. On this episode of Defense in Depth, you’ll learn: The general consensus among the community is cybersecurity is a spend it now or spend more later decision. While everyone wants to find a metric to determine how much to spend on cybersecurity, there doesn't seem to be any that are useful. The CISO's job is to provide data about risks so the business can make the decision about cybersecurity spending. Most assume that after a breach there's more cybersecurity budget, but what you get first is cooperation. Look at security as a market differentiator. What if you could withstand a cyber attack but your competition couldn't? Or possibly you could deliver a higher level of reliability to your customers. How would your business be perceived by the market? A business impact analysis calculator can help understand your risk levels. Allan Alford has one his site. Many felt the biggest cost to a company suffering a breach isn't loss of data or the regulatory fines, but the damage to the company brand. The cost of proactive protection always beats the cost of suffering a data breach. One listener recommended that MBA programs should have a breach case study as part of their curriculum.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-role-of-the-biso/) What is a business information security officer or BISO? Do you need one? Is it just an extension of the CISO or is it simply taking on the business aspect of the CISO role? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Nicole Dove (@IssaUrbanGirl), BISO, ADP, and host of Urban Girl Corporate World podcast. Thanks to this week's podcast sponsor, Deep Instinct. Deep Instinct is changing cybersecurity by harnessing the power of Deep Learning to prevent threats in zero time. Deep Instinct’s on-device, solution protects against zero-day, APT, ransomware attacks, and against both known and unknown malware with unmatched accuracy and speed. Find out more about the solution’s wide covering platform play. On this episode of Defense in Depth, you’ll learn: A BISO becomes very valuable where they can be mapped to a specific business unit (by locale or business line). The BISO role has become important because practically all companies are reliant on data and technology. The BISO must have power to do their job. That requires autonomy and decision making ability. Another way to describe a BISO is as a senior business analyst with a security focus. From CISO to project manager, roles change often for a BISO. Geo-aligned positions for BISOs have become extremely valuable in light of different and growing territorial regulations. BISO is a good role for a wannabe CISO. Only large companies have room for a BISO. A BISO who can cozy up to a particular business units sales strategy is of enormous value. Make sure the BISO is actually bringing value and not just acting as a gatekeeper between security and the business.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-shared-accounts/) As bad as all security professionals know, shared accounts are a fact in the business world. They still linger, and from an operational standpoint they're hard to secure and get accountability. Why are they still around and what can be done about them? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest Jake King (@jakeking), CEO, Cmd. Thanks to this week's podcast sponsor, Cmd. Cmd provides a lightweight platform for hardening production Linux. Small and large companies alike use Cmd to address auditing gaps, implement controls that keep DevOps safe, and trigger alerts on hard-to-find threats. With out-of-the-box policies that make setup easy, Cmd is leading the way in native protection of critical systems. On this episode of Defense in Depth, you’ll learn: As much as it makes security professionals cringe, shared accounts are a business reality that can't be avoided. Certain business processes force shared accounts to exist, but that doesn't mean as a security professional you shouldn't grill to find out why the shared account exists and if there's a way you can remove that shared privilege. Get an inventory of your shared accounts. Also, you can do this with mapping credentials with location information. Time pressures in a physical environment often force shared accounts. You need to shine a light on shared accounts even if they're not going to go away. It's part of your GRC (governance, risk, and compliance) program. There are compensating controls one can put around shared accounts such as password rotation, monitoring usage, and alerts. Privileged access management (PAM) is the favorite solution for dealing with shared accounts. Often you don't need compensating controls if you have a dynamic PAM solution in place. The need for accountability is key here. If you don't have an equal understanding of its importance then those eventual issues are simply going to magnify.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-bug-bounties/) What is the successful formula for a bug bounty program? Should it be run internally, by a third party, or should you open it up to the public? Or, maybe a mixture of everything? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Justin Berman (@justinmberman), head of security, Dropbox. Thanks to this week's podcast sponsor, Cmd. Cmd provides a lightweight platform for hardening production Linux. Small and large companies alike use Cmd to address auditing gaps, implement controls that keep DevOps safe, and trigger alerts on hard-to-find threats. With out-of-the-box policies that make setup easy, Cmd is leading the way in native protection of critical systems. On this episode of Defense in Depth, you’ll learn: Like red teaming, you need outside eyes looking at your environment and vulnerabilities. There was much debate between internal, private, and public bug bounty programs. But it was agreed that if you do them, that you do them in that order. There was another concern regarding the cost of a bug bounty program. Whether you do them or not, you're still going to pay for coding errors and vulnerabilities one way or another. It's either upfront or later. Those new to bug bounty programs are not aware of the additional costs of management and engaging with the researchers and white hat hackers. That is a critical part of the bug bounty program. Before you begin, set up a system to manage the flow of problems reported. If not, you and your staff could very quickly be overwhelmed. Having a consistent and clear way you handle the findings is often more important than the findings. Have you allocated budget to remediate the findings? Are you going to need to make cases as each weakness is found? Keep in mind that companies don't go into bug bounty programs for the same reason. Some go into it for reasons of publicity or forming relationships with researchers. Communications between your engineers and the bug bounty researchers is critical. If your team is non-responsive, the bug bounty program could backfire. Most people are wary of public bug bounty programs because of the low signal-to-noise ratio. As there is a rush for attention and money, the whole effort may implode.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-data-classification/) The more data we horde, the less useful any of it becomes, and the more risk we carry. If we got rid of data, we could reduce risk. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Nina Wyatt, CISO, Sunflower Bank. Thanks to this week's podcast sponsor, Cmd. Cmd provides a lightweight platform for hardening production Linux. Small and large companies alike use Cmd to address auditing gaps, implement controls that keep DevOps safe, and trigger alerts on hard-to-find threats. With out-of-the-box policies that make setup easy, Cmd is leading the way in native protection of critical systems. On this episode of Defense in Depth, you’ll learn: Usable, user-friendly, viable-in-every-scenario data protection that is invisible, seamless, and always on does not exist, but could exist, and should exist. Classification tools that tout automation, really aren't. There is still a good amount of manual intervention. Another way to solve the data protection issue is to get rid of data. Our data protection problem amplifies as we find ourselves protecting more data. But a lot of data simply doesn't need to be protected. It could be classified for non-protection or just destroyed. Data is mostly unstructured and it needs to be structured to the sense that you know how data is flowing, and that is extremely difficult to do. We spend more time on hardware and networking diagrams but what we should be doing is diagramming data flow. Mandate retention limits on data. People don't like it, but it's going to make you a lot safer. Just mandate the lifespan of data. If it's not needed or accessed in a certain period of time, archive it or possibly kill it. People think holding onto data is costless, but reality is the more you hold onto it becomes very costly from a security perspective. Utility to you vs. utility to the bad guys is relative. For example, a bank statement from five years ago has little utility to you now, but if a bad guy is looking for information, that has the same value as a bank statement from today. The questions you need to be asking: Is your data sensitive, does it have open permissions, how long has it been since the data was accessed? Data with PII is both an asset and a liability. Classifying data also has a major problem with consistency. Often data can be put into multiple categories or classes. Security of data is usually not the factor many consider. We are often thinking about the security around data.  

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-prevention-vs-detection-and-containment/) We agree that preventing a cyber attack is better than detection and containment. Then why is the overwhelming majority of us doing detection and containment? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest Steve Salinas (@so_cal_aggie), head of product marketing, Deep Instinct. Thanks to this week's podcast sponsor, Deep Instinct. Deep Instinct is changing cybersecurity by harnessing the power of Deep Learning to prevent threats in zero time. Deep Instinct’s on-device, solution protects against zero-day, APT, ransomware attacks, and against both known and unknown malware with unmatched accuracy and speed. Find out more about the solution’s wide covering platform play. On this episode of Defense in Depth, you’ll learn: A recent Ponemon study notes that most security professionals agree that prevention is a better security strategy than detection and containment. Even with the acceptance that prevention is a better security posture, most security spending goes into detection and containment. By implementing firewalls, patching, and security training, many of us are already doing prevention, but may not classify it as such. Prevention is not nearly as expensive as creating a detect and respond security program. The two halves work in concert together. No prevention program can be perfect, and that's why you always need a detect and contain program as well. The reason you don't only go with detect and respond without prevention is that the flood of valid information will be too much for a security program to handle. There was a strong argument for detect and respond because it shows the products you spent money on are actually working. This is not just to humor the security professional, but also to give some "evidence" to the senior executives. A lot of prevention comes down to the individual. But since it's so tough to get people to change behavior, there's less friction to just purchase another prevention tool to protect people from their own behavior. Prevention tools won't stop the attackers who sit dormant on a network waiting to attack. Their behavior has to be spotted with the use of detection and containment.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-asset-valuation/) What's the value of your assets? Do you even understand what they are to you or to a criminal looking to steal them? Do those assets become more valuable once you understand the damage they can cause? Check out this post for the basis for our conversation on this week’s episode which features me and Allan Alford. Our guest is Bobby Ford, global CISO, Unilever. Thanks to this week's podcast sponsor, CyberArk. At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls. On this episode of Defense in Depth, you’ll learn: Allan revised the well known formula for risk (Risk = Likelihood x Impact) to reflect an asset's importance. So instead, Risk = Threat plus Vulnerability as aimed at an Asset. It's hard to get a stakeholder to tell you the value of their assets. Instead, ask them the reverse. Describe the absolute worst breach scenario. What's the second worse? And then on down until you have an understanding of the hierarchy of the assets. A business impact analysis (BIA) will also help uncover asset valuation. Allan Alford has a BIA calculator on his site. The simple question of "What are you defending?" is one that most business leaders struggle to answer. They need to be able to answer that question often. Once you know what to defend the question is how much to defend and then after that is there anything that doesn't need to be defended. You may actually not be able to start this process if you doing know what your asset inventory is. This should be managed with a discovery tool and multiple iterations of discovery. While you're valuing your own assets, try to make sense of what these assets mean to an attacker. That will help you answer the question of "how much to defend".

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-devsecops/) We know that security plays a role in DevOps, but we've been having a hard time inserting ourselves in the conversation and in the process. How can we get the two sides of developers and security to better understand and appreciate each other? Check out this post and this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Sumedh Thakar (@sumedhthakar), president and chief product officer, Qualys. Thanks to this week’s podcast sponsor, Qualys. Qualys is a pioneer and leading provider of cloud-based security and compliance solutions. On this episode of Defense in Depth, you’ll learn: It's debatable whether the term "DevSecOps" should even exist as a term. The argument for the term is to just make sure that security is part of the discussion, but security people feel that's redundant. Security is not an additional process. It should be baked in. It's an essential ingredient. But should it really be seen as "embedding" or rather a partnership? Developers and operations operate as partners. Instead of dumping security tools on developers and just demanding "implement this" security needs to go through the same transition development had to go through to be part of "Ops". As DevOps looks forward to what's next, how can security do the same? Security is unfortunately seen as an afterthought, and that's antithetical to the DevOps philosophy. Security is an innate property that imbues quality in the entire DevOps effort. Security will slow down DevOps. It's unavoidable. Not everything can be automated. But, if you deliver the security bite-sized chunks you can get to an acceptable level of speed. Business needs to specify the security requirements since they were the ones who specified the speed requirements. That's how we got to DevOps in the first place.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-fix-security-problems-with-what-youve-got/) Stop buying security products. You probably have enough. You're just not using them to their full potential. Dig into what you've got and build your security program. Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Brent Williams (@brentawilliams), CISO, SurveyMonkey. Thanks to this week's podcast sponsor, Deep Instinct. Deep Instinct is changing cybersecurity by harnessing the power of Deep Learning to prevent threats in zero time. Deep Instinct’s on-device, solution protects against zero-day, APT, ransomware attacks, and against both known and unknown malware with unmatched accuracy and speed. Find out more about the solution’s wide covering platform play. On this episode of Defense in Depth, you’ll learn: It's very possible you're not using the tools you've purchased to their full potential. What would happen if you completely stopped buying security products and tried to fix your problems with the tools you've already purchased? The reason this is such a popular discussion is that as an industry we're still struggling with managing the fundamentals of security. Shelfware happens because we buy before we're ready. Purchase decisions should be made in conjunction with knowing if you have the staff and understand the integration points to implement the solution. Tooling for the few layers must be dealt with first. You don't need a solution selling a higher layer of security if you don't have the foundation built. Much of this argument is based on the messaging we hear from vendors. They're understandably in the business of selling product. Be cognizant of how you're absorbing information. We need to also focus on the people who unfortunately are fallible and can make non-malicious, but poor decisions. If there was going to be any additional spending, the argument was to invest in your people - from the entire staff to specific training for your security staff.